b"                                                     U.S. OFFICE OF PERSONNEL MANAGEMENT\n                                                           OFFICE OF THE INSPECTOR GENERAL\n                                                                            OFFICE OF AUDITS\n\n\n\n                                   Final Audit Report\n\n  Subject:\n\n\n\n\n            AUDIT OF INFORMATION SYSTEMS\n         GENERAL AND APPLICATION CONTROLS AT\n          HEALTH CARE SERVICE CORPORATION\n\n\n\n                                            Report No. 1A-10-17-13-026\n\n                                            Date:               January 28, 2014\n\n\n\n\n                                                          --CAUTION--\nThis audit report has been distributed to Federal officials who are responsible for the administration of the audited program. This audit\nreport may contain proprietary data which is protected by Federal law (18 U.S.C. 1905). Therefore, while this audit report is available\nunder the Freedom of Information Act and made available to the public on the OIG webpage, caution needs to be exercised before\nreleasing the report to the general public as it may contain proprietary information that was redacted from the publicly distributed copy.\n\x0c                                                       Audit Report\n\n\n\n              FEDERAL EMPLOYEES HEALTH BENEFITS PROGRAM\n                            CONTRACT 1039\n                            HEALTH CARE SERVICE CORPORATION\n                                                  PLAN CODES 10/11\n                                                CHICAGO, ILLINOIS\n\n\n\n                                            Report No. 1A-10-17-13-026\n\n                                            Date:                January 28, 2014\n\n\n\n\n                                                                                             ________________________\n                                                                                             Michael R. Esser\n                                                                                             Assistant Inspector General\n                                                                                               for Audits\n\n\n\n\n                                                          --CAUTION--\nThis audit report has been distributed to Federal officials who are responsible for the administration of the audited program. This audit\nreport may contain proprietary data which is protected by Federal law (18 U.S.C. 1905). Therefore, while this audit report is available\nunder the Freedom of Information Act and made available to the public on the OIG webpage, caution needs to be exercised before\nreleasing the report to the general public as it may contain proprietary information that was redacted from the publicly distributed copy.\n\x0c                                   Executive Summary\n\n\n\n          FEDERAL EMPLOYEES HEALTH BENEFITS PROGRAM\n                        CONTRACT 1039\n                    HEALTH CARE SERVICE CORPORATION\n                                    PLAN CODES 10 /11\n                                   CHICAGO, ILLINOIS\n\n\n\n                               Report No. 1A-10-17-13-026\n\n                               Date:           January 28, 2014\n\n\nThis final report discusses the results of our audit of general and application controls over the\ninformation systems at Health Care Service Corporation (HCSC or Plan).\n\nOur audit focused on the claims processing applications used to adjudicate Federal Employees\nHealth Benefits Program (FEHBP) claims for HCSC, as well as the various processes and\ninformation technology (IT) systems used to support these applications. We documented\ncontrols in place and opportunities for improvement in each of the areas below.\n\nSecurity Management\nNothing came to our attention to indicate that HCSC does not have an adequate security\nmanagement program.\n\nAccess Controls\nHCSC has implemented numerous controls to grant and remove physical access to its data\ncenter, as well as logical controls to protect sensitive information. All weaknesses identified\nduring the audit were remediated.\n\n\n\n\n                                                  i\n\x0cNetwork Security\nHCSC has implemented a thorough incident response and network security program. However,\nwe noted several opportunities for improvement related to HCSC\xe2\x80\x99s network security controls.\nSeveral specific servers containing Federal data are not subject to routine vulnerability scanning.\nThe results of the vulnerability scans also indicated that these servers had outdated system\npatches and software. HCSC has also not implemented a process to monitor and audit the\nactivity of privileged users on their information systems.\n\nConfiguration Management\nHCSC has developed formal policies and procedures that provide guidance to ensure that system\nsoftware is appropriately configured and updated, as well as for controlling system software\nconfiguration changes. However, HCSC has not documented a formal baseline configuration\noutlining the approved settings for its mainframe installation and therefore cannot effectively\naudit its mainframe security settings. HCSC has also not developed a process to audit its server\nconfiguration settings to ensure compliance with the approved standard images.\n\nContingency Planning\nWe reviewed HCSC\xe2\x80\x99s business continuity and disaster recovery plans and concluded that they\ncontained the key elements suggested by relevant guidance and publications. We also\ndetermined that these documents are reviewed, updated, and tested on a periodic basis.\n\nClaims Adjudication\nHCSC has implemented many controls in its claims adjudication process to ensure that FEHBP\nclaims are processed accurately. However, we noted several weaknesses in HCSC\xe2\x80\x99s claims\napplication controls.\n\nHealth Insurance Portability and Accountability Act (HIPAA)\nNothing came to our attention that caused us to believe that HCSC is not in compliance with the\nHIPAA security, privacy, and national provider identifier regulations.\n\n\n\n\n                                                 ii\n\x0c                                                                Contents\n                                                                                                                                             Page\nExecutive Summary ......................................................................................................................... i\n I. Introduction .............................................................................................................................. 1\n      Background .............................................................................................................................. 1\n      Objectives ................................................................................................................................ 1\n      Scope ........................................................................................................................................ 2\n      Methodology ............................................................................................................................ 2\n      Compliance with Laws and Regulations.................................................................................. 3\n II. Audit Findings and Recommendations .................................................................................... 4\n       A. Security Management ....................................................................................................... 4\n       B. Access Controls ................................................................................................................. 4\n       C. Network Security............................................................................................................... 6\n       D. Configuration Management .............................................................................................. 9\n       E. Contingency Planning ..................................................................................................... 11\n       F. Claims Adjudication ........................................................................................................ 12\n       G. Health Insurance Portability and Accountability Act ..................................................... 16\n III. Major Contributors to This Report ....................................................................................... 17\n       Appendix: HCSC\xe2\x80\x99s September 10, 2013 response to the draft audit report issued\n                 July 3, 2013.\n\x0c                                       I. Introduction\n\nThis final report details the findings, conclusions, and recommendations resulting from the audit\nof general and application controls over the information systems responsible for processing\nFederal Employees Health Benefits Program (FEHBP) claims by Health Care Service\nCorporation (HCSC).\n\nThe audit was conducted pursuant to FEHBP contract CS1039; 5 U.S.C. Chapter 89; and 5 Code\nof Federal Regulations (CFR) Chapter 1, Part 890. The audit was performed by the U.S. Office\nof Personnel Management\xe2\x80\x99s (OPM) Office of the Inspector General (OIG), as established by the\nInspector General Act of 1978, as amended.\n\nBackground\nThe FEHBP was established by the Federal Employees Health Benefits Act (the Act), enacted on\nSeptember 28, 1959. The FEHBP was created to provide health insurance benefits for federal\nemployees, annuitants, and qualified dependents. The provisions of the Act are implemented by\nOPM through regulations codified in Title 5, Chapter 1, Part 890 of the CFR. Health insurance\ncoverage is made available through contracts with various carriers that provide service benefits,\nindemnity benefits, or comprehensive medical services.\n\nThis was our second audit of HCSC\xe2\x80\x99s general and application controls. The first audit was\nconducted in 2005 and all recommendations from that audit were closed prior to the start of the\ncurrent audit. We also reviewed HCSC\xe2\x80\x99s compliance with the Health Insurance Portability and\nAccountability Act (HIPAA).\n\nAll HCSC personnel that worked with the auditors were helpful and open to ideas and\nsuggestions. They viewed the audit as an opportunity to examine practices and to make changes\nor improvements as necessary. Their positive attitude and helpfulness throughout the audit was\ngreatly appreciated.\n\nObjectives\nThe objectives of this audit were to evaluate controls over the confidentiality, integrity, and\navailability of FEHBP data processed and maintained in HCSC\xe2\x80\x99s IT environment. We\naccomplished these objectives by reviewing the following areas:\n \xef\x82\xb7   Security management;\n \xef\x82\xb7   Access controls;\n \xef\x82\xb7   Configuration management;\n \xef\x82\xb7   Segregation of duties;\n \xef\x82\xb7   Contingency planning;\n \xef\x82\xb7   Application controls specific to HCSC\xe2\x80\x99s claims processing systems; and\n \xef\x82\xb7   HIPAA compliance.\n\n\n\n                                                  1\n\x0cScope\nThis perfonnance audit was conducted in accordance with generally accepted government\nauditing standards issued by the Comptroller General of the United States. Accordingly, we\nobta.ined an understanding ofHCSC 's intem al controls through interviews and observations, as\nwell as inspection of various documents, including infonnation technology and other related\norganizational policies and procedures. This understanding of HCSC's intemal controls was\nused in planning the audit by determining the extent of compliance testing and other auditing\nprocedures necessmy to verify that the intemal controls were properly designed, placed in\noperation, and effective.\n\nThe scope of this audit centered on the infonnation systems used b y HCSC to process medical\ninsurance claims for FEHBP members, with a prima1y focus on the claims adjudication\napplications . HCSC uses a system                   to process claims locally before submitting\nthe claims t h r o u g h - - the                            Association 's (BCBSA) claims\nadj udication system. The business processes reviewed are primarily located in HCSC's Chicago,\nlllinois; Abilene, Texas; Plano, Texas; and Ft. W01ih, Texas facilities.\n\nThe on-site p01iion of this audit was perf01med from April through May of2013 . We completed\nadditional audit work before and after the on-site visit at our office in Washington, D.C. The\nfindings, recommendations, and conclusions outlined in this rep01i are based on the status of\ninf01mation system general and application controls in place at HCSC as of May 2013.\n\nfu conducting our audit, we relied to vmying degrees on computer-generated data provided by\nHCSC. Due to time constraints, we did not verify the reliability of the data used to complete\nsome of our audit steps but we detennined that it was adequate to achieve our audit objectives.\nHowever, when our objective was to assess computer-generated data, we completed audit steps\nnecessa1y to obtain evidence that the data was valid and reliable.\n\nMethodology\nfu conducting this review we:\n\xe2\x80\xa2 \t Gathered documentation and conducted interviews;\n\xe2\x80\xa2 \t Reviewed HCSC 's business structure and environment;\n\xe2\x80\xa2 \t Perf01med a risk assessment of HCSC's infonnation systems environment and applications,\n    and prepared an audit program based on the assessment and the Govemment Accmmtability\n    Office ' s (GAO) Federal fufonnation System Controls Audit Manual (FISCAM); and\n\xe2\x80\xa2 \t Conducted vm\xc2\xb7ious compliance tests to detennine the extent to which established contr\xc2\xb7ols and\n    procedures are functioning as intended. As appropriate, we used j udgmental sainpling in\n    completing our compliance testing.\n\nVm\xc2\xb7ious laws, regulations, and industry standm\xc2\xb7ds were used as a guide to evaluating HCSC's\ncontrol stm cture. These criteria include, but m\xc2\xb7e not limited to, the following publications:\n\xe2\x80\xa2 \t Title 48 of the Code of Federal Regulations;\n\xe2\x80\xa2 \t Office of Management and Budget (OMB) Circulm\xc2\xb7 A-130, Appendix III;\n\n\n                                                2\n\n\x0c\xef\x82\xb7   OMB Memorandum 07-16, Safeguarding Against and Responding to the Breach of\n    Personally Identifiable Information;\n\xef\x82\xb7   Information Technology Governance Institute\xe2\x80\x99s CobiT: Control Objectives for Information\n    and Related Technology;\n\xef\x82\xb7   GAO\xe2\x80\x99s FISCAM;\n\xef\x82\xb7   National Institute of Standards and Technology\xe2\x80\x99s Special Publication (NIST SP) 800-12,\n    Introduction to Computer Security;\n\xef\x82\xb7   NIST SP 800-14, Generally Accepted Principles and Practices for Securing Information\n    Technology Systems;\n\xef\x82\xb7   NIST SP 800-30, Risk Management Guide for Information Technology Systems;\n\xef\x82\xb7   NIST SP 800-34, Contingency Planning Guide for Information Technology Systems;\n\xef\x82\xb7   NIST SP 800-41, Guidelines on Firewalls and Firewall Policy;\n\xef\x82\xb7   NIST SP 800-53 Revision 3, Recommended Security Controls for Federal Information\n    Systems and Organizations;\n\xef\x82\xb7   NIST SP 800-61, Computer Security Incident Handling Guide;\n\xef\x82\xb7   NIST SP 800-66 Revision 1, An Introductory Resource Guide for Implementing the HIPAA\n    Security Rule; and\n\xef\x82\xb7   HIPAA Act of 1996.\n\nCompliance with Laws and Regulations\nIn conducting the audit, we performed tests to determine whether HCSC\xe2\x80\x99s practices were\nconsistent with applicable standards. While generally compliant, with respect to the items tested,\nHCSC was not in complete compliance with all standards as described in the \xe2\x80\x9cAudit Findings\nand Recommendations\xe2\x80\x9d section of this report.\n\n\n\n\n                                                3\n\x0c                     II. Audit Findings and Recommendations\n\nA. Security Management\n  The security management component of this audit involved the examination of the policies and\n  procedures that are the foundation of HCSC\xe2\x80\x99s overall IT security controls. We evaluated\n  HCSC\xe2\x80\x99s ability to develop security policies, manage risk, assign security-related responsibility,\n  and monitor the effectiveness of various system-related controls.\n\n  HCSC has implemented a series of formal policies and procedures that comprise its security\n  management program. HCSC\xe2\x80\x99s Chief Information Security Officer is responsible for creating,\n  reviewing, editing, and disseminating IT security policies. HCSC\xe2\x80\x99s Risk Assessment Service\n  Team developed an impressive risk management methodology and assessment process with\n  procedures to document, track, and mitigate or accept identified risks. We also reviewed\n  HCSC\xe2\x80\x99s human resources policies and procedures related to hiring, training, transferring, and\n  terminating employees.\n\n  Nothing came to our attention to indicate that HCSC does not have an adequate security\n  management program.\n\nB. Access Controls\n  Access controls are the policies, procedures, and techniques used to prevent or detect\n  unauthorized physical or logical access to sensitive resources.\n\n  We examined the physical access controls at HCSC\xe2\x80\x99s headquarters building, two satellite\n  locations, and its data centers. We also examined the logical controls protecting sensitive data\n  on HCSC\xe2\x80\x99s network environment and claims processing applications.\n\n  The access controls observed during this audit include, but are not limited to:\n  \xef\x82\xb7   Procedures for appropriately granting physical access to facilities and data centers;\n  \xef\x82\xb7   Procedures for revoking access to data centers for terminated employees;\n  \xef\x82\xb7   Procedures for removing network access for terminated employees; and\n  \xef\x82\xb7   Procedures for recertifying employees\xe2\x80\x99 access to systems and applications.\n\n  However, HCSC\xe2\x80\x99s process to remove employees\xe2\x80\x99 physical access after termination could be\n  improved. We compared a list of employees with active access to HCSC facilities to a list of\n  employees that were terminated in the last year. We discovered over 30 terminated employees\n  that retained access to various facilities. None of the employees that retained access following\n  termination had access to the data center.\n\n  HCSC does not currently have a process in place to routinely audit employees\xe2\x80\x99 physical access to\n  non-data center facilities. NIST SP 800-53 Revision 3 states that an organization must terminate\n  access upon termination of employment. NIST SP 800-53 also states that an organization must\n  review and analyze system audit records for indications of inappropriate or unusual activity.\n  Failure to remove and audit physical access to terminated users increases the risk that a\n\n\n                                                   4\n\x0cterminated employee could enter a facility and steal, modify, or delete sensitive and proprietary\ninformation.\n\nAt the end of the fieldwork phase of the audit, HCSC stated that it has instituted a temporary\ncontrol to detect improper removal of facility access. The control involves\n\n                                                                                HCSC is currently\ntesting a new card access system that should be a better long-term solution to ensure that\nphysical access is appropriately removed following employee termination. The anticipated\nimplementation date of the new system is in calendar year 2014.\n\nRecommendation 1\nAs part of the audit resolution process, we recommend that HCSC provide evidence of several\niterations of the weekly audit process.\n\nHCSC Response:\n\xe2\x80\x9c\n\n\n\n\nOIG Reply:\nThe evidence provided by HCSC in response to the draft audit report indicates that the Plan has\nimplemented a weekly audit process; no further action is required.\n\nRecommendation 2\nWe recommend that HCSC implement a methodology to ensure that physical access to facilities\nis removed promptly following employee termination.\n\nHCSC Response:\n\xe2\x80\x9cReference Plan response in recommendation #1 above.\xe2\x80\x9d\n\n\n\n\n                                                5\n\x0c  OIG Reply:\n  The evidence provided by HCSC in response to the draft audit report indicates that the Plan has\n  implemented a process to ensure that physical access to facilities is removed promptly following\n  an employee termination; no further action is required.\n\nC. Network Security\n  Network security includes the policies and controls used to prevent or monitor unauthorized\n  access, misuse, modification, or denial of a computer network and network-accessible resources.\n\n  HCSC has implemented a thorough incident response and network security program. As noted\n  in Section A, Security Management, HCSC has also implemented a robust risk assessment\n  process. HCSC\xe2\x80\x99s risk assessment procedures include a thorough vulnerability scan and\n  penetration test on the target information system, followed by a remediation process for any\n  weaknesses identified.\n\n  We evaluated HCSC\xe2\x80\x99s network security program and also reviewed the results of automated\n  vulnerability scans performed during this audit. We noted the following opportunities for\n  improvement related to HCSC\xe2\x80\x99s network security controls.\n\n  1. Full Scope Vulnerability Scanning\n     We reviewed HCSC\xe2\x80\x99s computer server vulnerability management program to determine if\n     adequate controls were in place to detect, track, and remediate vulnerabilities.\n\n     Although HCSC routinely performs vulnerability scans, we discovered that several servers\n     containing Federal data are not subject to routine vulnerability scanning. NIST SP 800-53\n     Revision 3 states that the organization should scan \xe2\x80\x9cfor vulnerabilities in the information\n     system and hosted applications\xe2\x80\xa6.\xe2\x80\x9d\n\n     Failure to perform full scope vulnerability scanning increases the risk that HCSC\xe2\x80\x99s systems\n     could be compromised and sensitive data stolen or destroyed.\n\n     Recommendation 3\n     We recommend that HCSC ensure that vulnerability scanning is conducted on all servers,\n     specifically the servers housing Federal data that are not currently part of HCSC\xe2\x80\x99s\n     vulnerability management program.\n\n     HCSC Response:\n     \xe2\x80\x9cThe Plan stated it is currently deploying the capabilities to validate security settings of\n     systems to ensure their security posture is regularly validated and reported. The Security\n     Validation capabilities will focus on measuring adherence to approved security baselines\n     and measuring the remediation of security vulnerabilities through the application of\n     patches. The validation capabilities are being rolled out by platform, with the initial\n     deployment operational by                . At that time, a server list will be compiled by the\n\n\n\n                                                  6\n\x0c   HCSC configuration management system; the servers identified will be scanned at least\n   annually.\xe2\x80\x9d\n\n   OIG Reply:\n   As part of the audit resolution process, we recommend that HCSC provide OPM\xe2\x80\x99s Healthcare\n   and Insurance Office (HIO) with evidence that vulnerability scanning has been implemented\n   for all servers.\n\n2. Vulnerabilities Identified in Scan Results\n   System Patching\n   HCSC has documented patch management policies and procedures. However, the results of\n   the vulnerability scans indicate that critical patches, service packs, and hot fixes are not\n   always implemented in a timely manner.\n\n   FISCAM Critical Element CM-5 states that \xe2\x80\x9cSoftware should be scanned and updated\n   frequently to guard against known vulnerabilities.\xe2\x80\x9d NIST SP 800-53 section SI-2 states \xe2\x80\x9cThe\n   organization (including any contractor to the organization) promptly installs security-relevant\n   software updates (e.g., patches, service packs, and hot fixes). Flaws discovered during\n   security assessments, continuous monitoring, incident response activities, or information\n   system error handling, are also addressed expeditiously.\xe2\x80\x9d\n\n   Failure to promptly install important updates increases the risk that vulnerabilities will not be\n   remediated and sensitive information could be stolen.\n\n   Recommendation 4\n   We recommend that HCSC implement procedures and controls to ensure that production\n   servers are installed with appropriate patches, service packs, and hotfixes on a timely basis.\n\n   HCSC Response:\n   \xe2\x80\x9cThe Plan states                       it will develop a plan to supplement existing\n   operational patching processes. The Plan will include a revised patch management policy,\n   milestones for creating platform-specific standards, and a roadmap for implementing\n   operational process enhancements.\xe2\x80\x9d\n\n   OIG Reply:\n   As part of the audit resolution process, we recommend that HCSC provide OPM\xe2\x80\x99s HIO with\n   evidence of the new patch management process implementation and the correlating\n   vulnerability scan results that indicate that patching has occurred.\n\n   Noncurrent software\n   The results of the vulnerability scans indicated that several servers contained noncurrent\n   software applications that were no longer supported by the vendors and have known security\n   vulnerabilities.\n\n\n\n                                                 7\n\x0c   FISCAM states that \xe2\x80\x9cProcedures should ensure that only current software releases are\n   installed in information systems. Noncurrent software may be vulnerable to malicious code\n   such as viruses and worms.\xe2\x80\x9d\n\n   Failure to promptly remove outdated software increases the risk of a successful malicious\n   attack on the information system.\n\n   Recommendation 5\n   We recommend that HCSC implement a methodology to ensure that only current and\n   supported versions of system software are installed on the production servers.\n\n   HCSC Response:\n   \xe2\x80\x9cThe Plan states it is aware that some unsupported software runs on its network and\n   agrees it would be preferable for all software to be at current versions. There will be\n   occasions where their business and Information Technology Group (ITG) departments\n   partner to make risk-aware decisions to not upgrade or replace software. Software that is\n   to become unsupported is inventoried and the impacts of upgrading, replacing, or\n   accepting risk are discussed with business owners. Decisions to not upgrade low risk\n   software may be based on business drivers such as \xe2\x80\x98Reliant applications are to be retired\xe2\x80\x99\n   or \xe2\x80\x98the Plan will pay for extended vendor support until internal resources are available for\n   the upgrade\xe2\x80\x99.\n\n   In 2011, the Plan initiated a Technology Lifecycle Management program to address\n   software and hardware currency. Under this program, the Plan maintains a centralized\n   repository of technologies (Enterprise Technology Catalog) containing internal technology\n   owner, vendor, HCSC lifecycle dates, next in line products (for products going out of\n   support) and other metadata that describes the uses within HCSC. Regular audits of our\n   applications are conducted to ensure support teams consider software currency. We expect\n   the amount of unsupported software to decrease as the program matures.\xe2\x80\x9d\n\n   OIG Reply:\n   The evidence provided by HCSC in response to the draft audit report indicates that the Plan\n   has implemented a methodology to ensure that only current and supported versions of system\n   software are installed on the production servers unless there is a business justification; no\n   further action is required.\n\n3. Privileged User Access Monitoring\n   HCSC has configured its network devices to record the activity of privileged users (i.e.,\n   system administrators). However, the event logs generated by these servers are only\n   reviewed retroactively if a problem has been reported or detected.\n\n   NIST SP 800-53 Revision 3 requires that an organization \xe2\x80\x9cReviews and analyzes information\n   system audit records . . . for indications of inappropriate or unusual activity, and reports\n   findings to designated organizational officials.\xe2\x80\x9d\n\n\n\n                                                8\n\x0c     Failure to routinely review elevated user activity increases the risk that malicious activity\n     could go undetected and sensitive information could be compromised.\n\n     Recommendation 6\n     We recommend that HCSC implement a process to routinely review elevated user\n     (administrator) activity.\n\n     HCSC Response:\n     \xe2\x80\x9cThe Plan states it maintains a near real-time security monitoring and analysis program.\n     Security event correlation rules are in place to monitor user activity including those with\n     elevated privileges. When correlation rules are triggered for all types of users, including\n     those with elevated privileges, they are investigated and documented\n                                     . These completed investigations, including case closure\n     notes, are then presented to senior leadership on a quarterly and annual basis. Senior\n     leadership reviews the documentation and provides feedback as appropriate.\xe2\x80\x9d\n\n     OIG Reply:\n     Our understanding of the controls described in HCSC\xe2\x80\x99s response is that they only apply to\n     monitoring initial user login activity. The intent of this recommendation is for HCSC to\n     implement a process to routinely review the activity of users with specialized access, not just\n     to review the log-on activity associated with specialized users. During our audit, we\n     observed the SEM tool and determined that the level of review that results from the\n     correlation rules is not sufficient. Managers should be reviewing all activity performed by\n     specialized users to ensure the elevated privileges are not being abused.\n\nD. Configuration Management\n  System Software\n  The HCSC claims processing application,                                                  . The\n  platform includes many supporting applications and system interfaces. We evaluated HCSC\xe2\x80\x99s\n  management of the configuration of           and determined that the following controls were in\n  place:\n  \xef\x82\xb7 Documented corporate configuration policies and procedures;\n  \xef\x82\xb7 Approved server configuration images; and\n  \xef\x82\xb7 Thorough change management procedures for system software.\n\n  The sections below document areas for improvement related to HCSC\xe2\x80\x99s configuration\n  management controls.\n\n  1. Baseline Configuration Policy\n     HCSC has created corporate configuration policies to establish configuration management\n     responsibilities within IT functional areas and to ensure security requirements are met.\n     However, HCSC has not documented a formal baseline configuration outlining the approved\n     settings for its mainframe installation.\n\n\n                                                   9\n\x0c   NIST SP 800-53 Revision 3 states that an organization must develop, document, and\n   maintain a current baseline configuration of the information system.\n\n   Failure to establish approved system configuration settings increases the risk the system may\n   not meet performance requirements defined by the organization.\n\n   Recommendation 7\n   We recommend that HCSC document approved mainframe security configurations.\n\n   HCSC Response:\n   \xe2\x80\x9cThe Plan states it currently configures its mainframe systems to adhere to a common,\n   consistent set of security settings. These security configuration settings are applied to the\n   mainframe baselines. The Plan will formally document the existing security configuration\n   standard for mainframe systems by September 30, 2013.\xe2\x80\x9d\n\n   OIG Reply:\n   As part of the audit resolution process, we recommend that HCSC provide OPM\xe2\x80\x99s HIO with\n   evidence the security configuration standard for mainframe systems are formally\n   documented.\n\n2. Configuration Compliance Auditing\n   As noted above, HCSC does not maintain approved mainframe security configurations, and\n   therefore cannot effectively audit its mainframe security settings (i.e., there are no approved\n   settings to which to compare the actual settings.)\n\n   Although HCSC does have approved configuration images for its network servers, it does not\n   routinely audit its servers for compliance with the approved configuration settings.\n\n   NIST SP 800-53 Revision 3 also states that an organization must monitor and control\n   changes to the configuration settings in accordance with organizational policies and\n   procedures. FISCAM requires current configuration information to be routinely monitored\n   for accuracy. Monitoring should address the baseline and operational configuration of the\n   hardware, software, and firmware that comprise the information system.\n\n   Failure to implement a thorough configuration compliance auditing program increases the\n   risk that insecurely configured servers remain undetected, creating a potential gateway for\n   malicious virus and hacking activity that could lead to data breaches.\n\n   Recommendation 8\n   We recommend that HCSC routinely audit mainframe security configurations settings to\n   ensure they are in compliance with the approved baseline.\n\n\n\n\n                                                10\n\x0c      HCSC Response:\n      \xe2\x80\x9cThe Plan is currently deploying the capabilities to validate security settings of systems to\n      ensure their security posture is regularly validated and reported. The Security Validation\n      capabilities will focus on measuring adherence to approved security baselines and\n      measuring the remediation of security vulnerabilities through the application of patches.\n      Planned steps and timeline include:\n\n      \xef\x82\xb7   Finalize mainframe security configuration standard (in process);\n      \xef\x82\xb7\n                     and\n      \xef\x82\xb7   Build and execute configuration review process for mainframe.\n\n      The validation capabilities are being rolled                 . A plan for the mainframe\n      checks will be in place by                 .\xe2\x80\x9d\n\n      OIG Reply:\n      As part of the audit resolution process, we recommend that HCSC provide OPM\xe2\x80\x99s HIO with\n      evidence that the mainframe security configuration settings are being routinely audited to\n      comply with the baseline created as a result of Recommendation 7.\n\n      Recommendation 9\n      We recommend that HCSC routinely audit network server security configuration settings to\n      ensure they are in compliance with the approved configuration images.\n\n      HCSC Response:\n      \xe2\x80\x9cThe Plan states it is currently deploying the capabilities to validate security settings of\n      systems to ensure their security posture is regularly validated and reported. The Security\n      Validation capabilities will focus on measuring adherence to approved security baselines\n      and measuring the remediation of security vulnerabilities through the application of\n      patches. The validation capabilities are being rolled out               . Network server\n      setting configurations are scheduled to be in place by\n\n      OIG Reply:\n      As part of the audit resolution process, we recommend that HCSC provide OPM\xe2\x80\x99s HIO with\n      evidence that the network server security configuration settings are being routinely audited to\n      comply with the approved configuration images.\n\nE. Contingency Planning\n  We reviewed the following elements of HCSC\xe2\x80\x99s contingency planning program to determine\n  whether controls were in place to prevent or minimize interruptions to business operations when\n  disastrous events occur:\n  \xef\x82\xb7   Disaster response plan;\n  \xef\x82\xb7   Business continuity plan for data center operations;\n\n\n                                                  11\n\x0c  \xef\x82\xb7   Business continuity plans for claims processing operations and claims support;\n  \xef\x82\xb7   Disaster recovery plan tests conducted in conjunction with the alternate data center; and\n  \xef\x82\xb7   Emergency response procedures and training.\n\n  We determined that the service continuity documentation contained the critical elements\n  suggested by NIST SP 800-34, \xe2\x80\x9cContingency Planning Guide for IT Systems.\xe2\x80\x9d HCSC has\n  identified and prioritized the systems and resources that are critical to business operations, and\n  has developed detailed procedures to recover those systems and resources.\n\n  Nothing came to our attention to indicate that HCSC has not implemented adequate controls\n  related to contingency planning.\n\nF. Claims Adjudication\n  The following sections detail our review of the applications and business processes supporting\n  HCSC\xe2\x80\x99s claims adjudication process.\n\n  1. Application Configuration Management\n      We evaluated the policies and procedures governing application development and change\n      control of HCSC\xe2\x80\x99s claims processing systems.\n\n      HCSC has implemented policies and procedures related to application configuration\n      management, and has also adopted a system development life cycle methodology that IT\n      personnel follow during routine software modifications. We observed the following controls\n      related to testing and approvals of software modifications:\n      \xef\x82\xb7   HCSC has adopted practices that allow modifications to be tracked throughout the change\n          process;\n      \xef\x82\xb7   Code, unit, system, and quality testing are all conducted in accordance with industry\n          standards; and\n      \xef\x82\xb7   HCSC uses a business unit independent from the software developers to move the code\n          between development and production environments to ensure adequate segregation of\n          duties.\n\n      Nothing came to our attention to indicate that HCSC has not implemented adequate controls\n      related to the application configuration management process.\n\n  2. Claims Processing System\n      We evaluated the input, processing, and output controls associated with HCSC\xe2\x80\x99s claims\n      processing systems. We determined that HCSC has implemented policies and procedures to\n      help ensure that:\n      \xef\x82\xb7   Paper claims that are received in the mail room are tracked to ensure timely processing;\n      \xef\x82\xb7   Claims are monitored as they are processed through the systems with real time tracking\n          of the system\xe2\x80\x99s performance; and\n      \xef\x82\xb7   Claims scheduled for payment are actually paid.\n\n\n\n                                                   12\n\x0c  Nothing came to our attention to indicate that HCSC has not implemented adequate controls\n  over the claims processing system.\n\n3. Debarment\n  HCSC has adequate procedures for updating the                  system with debarred provider\n  information, but it does not routinely audit the debarment database for accuracy.\n\n  HCSC receives the OPM OIG debarment list every month and compares the monthly\n  changes to the               debarred provider file. Any new debarred providers are added in\n  order to flag claims submitted by that provider to notify the member of the provider\xe2\x80\x99s status\n  and initiate the 15 day grace period in which the member has to find a new provider before\n  further service will be denied by the system.\n\n  However, this process is done manually, and HCSC does not have an auditing process in\n  place to ensure that all modifications are accurate and complete.\n\n  Failure to audit the accuracy of the debarment file increases the risk that claims are being\n  paid to providers that are debarred.\n\n  Recommendation 10\n  We recommend that HCSC implement a process to routinely audit the provider file to ensure\n  that all debarment related modifications are complete and accurate.\n\n  HCSC Response:\n  \xe2\x80\x9cThe Plan currently has technicians in the Service Delivery Operations (SDO) department\n  pull Debarred Provider reports. The Debarred Provider reports are sent to responsible\n  resources in the Federal Employee Program (FEP) Operations, Corporate Compliance,\n  Government Programs Marketing, and Government Contracts Processing departments for\n  review. Once each area performs their review of the report, a notification e-mail is sent to\n  the responsible SDO Technicians and FEP Operations Management.\n\n  On a quarterly basis, FEP Operations Management will pull a sample from the original\n  reports to confirm the accuracy and timeliness of the updates. Partial quarterly reviews\n  were performed in April 2013 and June 2013. The first full quarter review will be\n  performed in 4th Quarter 2013.\xe2\x80\x9d\n\n  OIG Reply:\n  As part of the audit resolution process, we recommend that HCSC provide OPM\xe2\x80\x99s HIO with\n  evidence of the full review process at the end of the 4th quarter, 2013, as well as evidence of\n  several subsequent full quarterly reviews.\n\n\n\n\n                                               13\n\x0c4. Application Controls Testing\n   We conducted a test on HCSC\xe2\x80\x99s claims adjudication application,             to validate the\n   system\xe2\x80\x99s processing controls. The exercise involved processing test claims designed with\n   inherent flaws and evaluating the manner in which HCSC\xe2\x80\x99s systems adjudicated the claims.\n\n   Our test results indicate that controls and system edits are in place to identify the following\n   scenarios:\n   \xef\x82\xb7   Invalid members and providers;\n   \xef\x82\xb7   Member eligibility;\n   \xef\x82\xb7   Gender inconsistence;\n   \xef\x82\xb7   Overlapping facility claims;\n   \xef\x82\xb7   Timely filing; and\n   \xef\x82\xb7   Catastrophic maximum.\n\n   The sections below document opportunities for improvement related to HCSC\xe2\x80\x99s claims\n   application controls.\n\n   a. Place of Service/Procedure Inconsistency\n       Test claims were processed where the place of service (POS) was not valid for the\n       procedure performed.\n\n       We entered test claims into                               with a\n\n       Despite this inconsistency, neither                                deferred or suspended\n       these claims.\n\n       These system weaknesses increase the risk that benefits are being paid for procedures that\n       were not actually performed.\n\n       At the conclusion of the fieldwork phase of our audit, BCBSA provided evidence that an\n       edit exists regarding types of bill and procedure codes that are not compatible to place of\n       service codes.\n                                                                                    The intent of\n       our claims testing is to identify areas for improvement within the claims processing\n       system that can be generalized and extrapolated. The overall risk that claims are being\n       paid for services with invalid place of service codes is still present.\n\n       This risk was acknowledged by the BCBSA, and we were informed that they \xe2\x80\x9cwill be\n       initiating a project at the Operations Center to review the validity of the acceptable\n       services on this Table.\xe2\x80\x9d\n\n       Recommendation 11\n       We recommend that the BCBSA conduct a full review of place of service codes to\n       appropriately tailor the edit to ensure claims are not being inappropriately processed.\n\n\n                                                14\n\x0c   HCSC Response:\n   \xe2\x80\x9cFEP currently has an edit in                that would defer claims if the criteria for\n   place of service (POS) is not appropriate for the procedure performed. The OIG Audit\n\n\n\n                Based upon the exception noted, the FEP Operations Center and the\n   FEPDO will conduct a review of the procedures and POS to ensure that this edit is\n   functioning as designed and that the Place of Services are correctly identified on the\n   allowable claims table. At this time, we do not have an expected completion date for\n   this project.\xe2\x80\x9d\n\n   OIG Reply:\n   As part of the audit resolution process, we recommend that the BCBSA provide OPM\xe2\x80\x99s\n   HIO with evidence to ensure that a full review of place of service codes was conducted\n   and that system modifications have been made to ensure claims are not being\n   inappropriately processed.\n\nb. Non-Par Pricing\n   A non-participating (non-par) provider was paid an amount significantly greater than the\n   amount allowed by the Medicare fee schedule.\n\n   Non-par professional claims are priced by                   We submitted a test claim\n   directly into               for a Medicare subscriber visiting a non-par provider. This\n   claim contained a procedure code for an office visit, a diagnosis code for\n   and submitted charges of $6,000. Although the Medicare fee schedule allows $38.50 for\n   an office visit, the system paid the provider the full $6,000 of submitted charges.\n\n   According to the BlueCross BlueShield benefit brochure, the non-participating provider\n   allowance (NPA) is calculated as the greater of the Medicare fee schedule or the Plan\xe2\x80\x99s\n   usual, customary, and reasonable pricing allowance (PPA). In this test case, the\n   processor entered a PPA equal to the submitted charges of $6,000.\n\n   During a prior audit in 2008, we discovered this exact problem in the\n   system. In response to our recommendation to modify the system, we were told that the\n   BCBSA was \xe2\x80\x9cconducting a study to determine the specifications required to implement\n   an edit that would defer any non-par priced claim that exceeds 40% of the Medicare Fee\n   Schedule. The results of the study are expected during the fourth quarter 2008 with\n   implementation of the recommendation in 2009.\xe2\x80\x9d We submitted these claims as a follow-\n   up test of the functionality of the controls purported to be in place by 2009. We expected\n   the system to suspend the claim after detecting the large variance between the PPA and\n   the Medicare fee schedule.\n\n\n\n\n                                           15\n\x0c         This system weakness increases the risk that non-par providers are being significantly\n         overpaid when they inadvertently or fraudulently submit charges well in excess of the\n         Medicare fee schedule amount.\n\n         Recommendation 12\n         We recommend that BCBSA implement the appropriate system modifications to ensure\n         that non-par provider claims are suspended for review when there is a large variance\n         between the NPA and the Medicare fee schedule.\n\n         HCSC Response:\n         \xe2\x80\x9cIn order to comply with the above OIG recommendation, a request has been\n         submitted to our system-intake committee to conduct an analysis of the required\n         changes needed to be implemented into                 The completion of this analysis\n         is not expected until the                due to the year-end benefit changes.\xe2\x80\x9d\n\n         OIG Reply:\n         As part of the audit resolution process, we recommend that the BCBSA provide OPM\xe2\x80\x99s\n         HIO with evidence that system modifications have been made to ensure that non-par\n         provider claims are suspended for review when there is a large variance between the NPA\n         and the Medicare fee schedule.\n\nG. Health Insurance Portability and Accountability Act\n  The OIG reviewed HCSC\xe2\x80\x99s efforts to maintain compliance with the security and privacy\n  standards of HIPAA.\n\n  HCSC has implemented a series of IT security policies and procedures to adequately address the\n  requirements of the HIPAA security rule. HCSC has also developed a series of privacy policies\n  and procedures that directly addresses all requirements of the HIPAA privacy rule. HCSC\n  reviews its HIPAA privacy and security policies annually and updates when necessary. HCSC\n  has designated a Privacy Official who has the responsibility of ensuring compliance with HIPAA\n  Privacy and Security policies. Each year, all employees must complete HCSC\xe2\x80\x99s computer based\n  training course. This training encompasses HIPAA privacy and security regulations as well as\n  general IT compliance.\n\n  Nothing came to our attention that caused us to believe that HCSC is not in compliance with the\n  various requirements of HIPAA regulations.\n\n\n\n\n                                                 16\n\x0c                    III. Major Contributors to This Report\n\nThis audit report was prepared by the U.S. Office of Personnel Management, Office of Inspector\nGeneral, Information Systems Audits Group. The following individuals participated in the audit\nand the preparation of this report:\n\xef\x82\xb7                   Deputy Assistant Inspector General for Audits\n\xef\x82\xb7                      Chief, Information Systems Audit Group\n\xef\x82\xb7               , Lead IT Auditor-In-Charge\n\xef\x82\xb7                        , IT Auditor\n\xef\x82\xb7                   , IT Auditor\n\xef\x82\xb7                           , IT Auditor\n\n\n\n\n                                              17\n\x0c                                    Appendix\n\n\n\nSeptember 10, 2013\n                                                                 Federal Employee Program\n                Senior Team Lead                                 1310 G Street, N.W.\nInformation Systems Audits Group                                 Washington, D.C. 20005\n                                                                 202.942.1000\nInsurance Service Programs                                       Fax 202.942.1125\nOffice of Personnel Management\n1900 E Street, N.W., Room 6400\nWashington, D.C. 20415\n\nReference: OPM DRAFT EDP AUDIT REPORT\n           HCSC BlueCross BlueShield Plans\n           Audit Report Number 1A-10-17-13-026\n           Report Dated July 3, 2013 and Received July 3, 2013\n\nDear\n\nThis report is in response to the above-referenced U.S. Office of Personnel\nManagement (OPM) Draft Audit Report covering the Federal Employees Health\nBenefits Program (FEHBP) Audit of Information Systems General and Application\nControls for the Plan\xe2\x80\x99s interface with the FEP claims processing system, access, and\nsecurity controls. Our comments regarding the recommendations in this report are as\nfollows:\n\nA. Security Management\nNo recommendations made in this area.\n\nB. Access Controls\n\n1. Privileged User Monitoring\nRecommendation 1\n\nThe OIG Auditors recommend that HCSC provide evidence of several iterations of the\nweekly audit process.\n\nResponse to Recommendation 1\n\x0cRecommendation 2\n\nThe OIG Auditors recommend that HCSC implement a methodology to ensure that\nphysical access to facilities is removed promptly following employee termination.\n\nResponse to Recommendation 2\n\nReference Plan response in recommendation #1 above.\n\nC. Network Security\n\n1. Full Scope Vulnerability Scanning\n\nRecommendation 3\n\n\nThe OIG Auditors recommend that HCSC ensure that vulnerability scanning is\nconducted on all servers, specifically the servers housing Federal data that are not\ncurrently part of HCSC\xe2\x80\x99s vulnerability management program.\n\nResponse to Recommendation 3\n\nThe Plan stated it is currently deploying the capabilities to validate security settings of\nsystems to ensure their security posture is regularly validated and reported. The\nSecurity Validation capabilities will focus on measuring adherence to approved\nsecurity baselines and measuring the remediation of security vulnerabilities through\nthe application of patches. The validation capabilities are being rolled out by platform,\nwith the initial deployment operational by               . At that time, a server list will be\ncompiled by the HCSC configuration management system; the servers identified will\nbe scanned at least annually.\n\n\n\n                                              2\n\x0c2. Vulnerabilities Identified in Scan Results\n\nRecommendation 4\n\nThe OIG Auditors recommend that HCSC implement proper procedures and controls\nto ensure that production servers are installed with appropriate patches, service\npacks, and hot-fixes on a timely basis.\n\nResponse to Recommendation 4\n\nThe Plan states by                     , it will develop a plan to supplement existing\noperational patching processes. The Plan will include a revised patch management\npolicy, milestones for creating platform-specific standards, and a roadmap for\nimplementing operational process enhancements.\n\nRecommendation 5\n\nThe OIG Auditors recommend that HCSC implement a methodology to ensure that\nonly current and supported versions of system software are installed on the production\nservers.\n\nResponse to Recommendation 5\n\nThe Plan states it is aware that some unsupported software runs on its network and\nagrees it would be preferable for all software to be at current versions. There will be\noccasions where their business and Information Technology Group (ITG) departments\npartner to make risk-aware decisions to not upgrade or replace software. Software\nthat is to become unsupported is inventoried and the impacts of upgrading, replacing,\nor accepting risk are discussed with business owners. Decisions to not upgrade low\nrisk software may be based on business drivers such as \xe2\x80\x9cReliant applications are to\nbe retired \xe2\x80\x9cor \xe2\x80\x9c the Plan will pay for extended vendor support until internal resources\nare available for the upgrade\xe2\x80\x9d.\n\nIn 2011, the Plan initiated a Technology Lifecycle Management program to address\nsoftware and hardware currency. Under this program, the Plan maintains a\ncentralized repository of technologies (Enterprise Technology Catalog) containing\ninternal technology owner, vendor, HCSC lifecycle dates, next in line products (for\nproducts going out of support) and other metadata that describes the uses within\nHCSC. Regular audits of our applications are conducted to ensure support teams\nconsider software currency. We expect the amount of unsupported software to\ndecrease as the program matures.\n\n\n\n\n                                            3\n\x0c3. Privileged User Access Monitoring\n\nRecommendation 6\n\nThe OIG Auditors recommend that HCSC implement a process to routinely review\nelevated user (administrator) activity.\n\nResponse to Recommendation 6\nThe Plan states it maintains a near real-time security monitoring and analysis\nprogram. Security event correlation rules are in place to monitor user activity including\nthose with elevated privileges. When correlation rules are triggered for all types of\nusers, including those with elevated privileges, they are investigated and documented\nwithin our                                          . These completed investigations,\nincluding case closure notes, are then presented to senior leadership on a quarterly\nand annual basis. Senior leadership reviews the documentation and provides\nfeedback as appropriate.\n\nD. Configuration Management\n\n1. Baseline Configuration Policy\n\nRecommendation 7\n\nThe OIG Auditors recommend that HCSC document approved mainframe security\nconfigurations.\n\nResponse to Recommendation 7\n\nThe Plan states it currently configures its mainframe systems to adhere to a common,\nconsistent set of security settings. These security configuration settings are applied to\nthe mainframe baselines. The Plan will formally document the existing security\nconfiguration standard for mainframe systems by                         . See\nAttachment 4.\n\n1. Configuration Compliance Auditing\n\nRecommendation 8\n\nThe OIG Auditors recommend that HCSC routinely audit mainframe security\nconfigurations settings to ensure they are in compliance with the approved baseline.\n\nResponse to Recommendation 8\n\nThe Plan is currently deploying the capabilities to validate security settings of systems\nto ensure their security posture is regularly validated and reported. The Security\nValidation capabilities will focus on measuring adherence to approved security\n\n\n                                            4\n\x0cbaselines and measuring the remediation of security vulnerabilities through the\napplication of patches. Planned steps and timeline include:\n\n   \xef\x82\xb7   Finalize mainframe security configuration standard (in process);\n   \xef\x82\xb7\n                              ; and\n   \xef\x82\xb7   Build and execute configuration review process for mainframe.\n\nThe validation capabilities are being rolled out               A plan for the mainframe\nchecks will be in place by                  .\n\nRecommendation 9\n\nThe OIG Auditors recommend that HCSC routinely audit network server security\nconfigurations settings to ensure they are in compliance with the approved\nconfiguration images.\n\nResponse to Recommendation 9\n\nThe Plan states it is currently deploying the capabilities to validate security settings of\nsystems to ensure their security posture is regularly validated and reported. The\nSecurity Validation capabilities will focus on measuring adherence to approved\nsecurity baselines and measuring the remediation of security vulnerabilities through\nthe application of patches. The validation capabilities are being rolled out               .\nNetwork server setting configurations are scheduled to be in place by\n                 .\n\n1. Contingency Planning\n\nNo recommendations made in this area.\n\n1. Claims Adjudication\n\n1. Debarment\n\nRecommendation 10\n\nThe OIG Auditors recommend that HCSC implement a process to routinely audit the\nprovider file to ensure that all debarment related modifications are complete and\naccurate.\n\nResponse to Recommendation 10\nThe Plans currently has technicians in the Service Delivery Operations (SDO)\ndepartment pull Debarred Provider reports. The Debarred Provider reports are sent to\nresponsible resources in the Federal Employee Program (FEP) Operations, Corporate\nCompliance, Government Programs Marketing, and Government Contracts\nProcessing departments for review. Once each area performs their review of the\n\n                                             5\n\x0creport, a notification e-mail is sent to the responsible SDO Technicians and FEP\nOperations Management.\n\nOn a quarterly basis, FEP Operations Management will pull a sample from the original\nreports to confirm the accuracy and timeliness of the updates. Partial quarterly\nreviews were performed in April 2013 and June 2013. The first full quarter review will\nbe performed in 4th Quarter 2013. See Attachments 5a \xe2\x80\x93 5d for April 2013 Validations\nand June 2013 Validations.\n\n2. Place of Service/Procedure Inconsistency\n\nRecommendation 11\n\nThe OIG Auditors recommend that BCBSA conduct a full review of place of service\ncodes to appropriately tailor the edit to ensure claims are not being inappropriately\nprocessed.\n\nResponse to Recommendation 11\n\nFEP currently has an edit in              that would defer claims if the criteria for\nplace of service (POS) is not appropriate for the procedure performed. The OIG Audit\nsubmitted a claim\n\n\n              Based upon the exception noted, the FEP Operations Center and the\nFEPDO will conduct a review of the procedures and POS to ensure that this edit is\nfunctioning as designed and that the Place of Services are correctly identified on the\nallowable claims table. At this time, we do not have an expected completion date for\nthis project.\n\n3. Non-Par Pricing\n\nRecommendation 12\n\nThe OIG Auditors recommend that BCBSA implement the appropriate system\nmodifications to ensure that non-par provider claims are suspended for review when\nthere is a large variance between the Non Par Allowance (NPA) and the Medicare fee\nschedule.\n\nResponse to Recommendation 12\n\nIn order to comply with the above OIG recommendation, a request has been\nsubmitted to our system-intake committee to conduct an analysis of the required\nchanges needed to be implemented into                  The completion of this analysis\nis not expected until the                due to the year-end benefit changes.\n\n\n\n\n                                           6\n\x0cG.    Health Insurance Portability and Accountability Act\n\nNo recommendations made in this area.\n\nWe appreciate the opportunity to provide our response to this Draft Audit Report and\nrequest that our comments be included in their entirety as an amendment to the Final\nAudit Report.\n\nSincerely,\n\n\n\n           , Managing Director\nProgram Assurance\n\nAttachments\n\ncc:             , OPM\n                   , OPM\n                  HCSC\n                       , HCSC\n                      , FEPDO\n                     , FEPDO\n\n\n\n\n                                          7\n\x0c"